cybersecurity law for corporate counsel 10, 2019 cybersecurity for...• data security liability...
TRANSCRIPT
10/07/2019
1
womblebonddickinson.com
Cybersecurity Law for Corporate Counsel
July 10, 2019
Allen O’Rourke
p2
Presentation Roadmap
A. Internet for Lawyers
B. Cyber Incident Response
C. Breach Notification
D. Cybersecurity Law Trends
Confidential Attorney Work Productand Attorney-Client Privileged
10/07/2019
2
66.57.3.106
Network
10/07/2019
3
Router
Inter-network
“Internet”
10/07/2019
4
IP address 149.101.1.119
IP address54.239.17.6
To: 54.239.17.6From: 149.101.1.119GET WEBPAGE
Computer used to visit website
Computer “server” hosting the website
To: 149.101.1.119From: 54.239.17.6
149.101.1.119 visited on 3/3/2017 at 1:30pm (EST)
Server Log
Internet Protocol (IP)
IP address 149.101.1.119
IP address54.239.17.6
To: 54.239.17.6From: 149.101.1.119GET WEBPAGE
To: 149.101.1.119From: 54.239.17.6
DNS Servers
What’s the IP address for “amazon.com”?
54.239.17.6
Domain Name System (DNS)
10/07/2019
5
Router
Internet
UnsolicitedIncoming
UnauthorizedOutgoing
SolicitedIncoming
Firewall
10/07/2019
6
p11
Presentation Roadmap
A. Internet for Lawyers
B. Cyber Incident Response
C. Breach Notification
D. Cybersecurity Law Trends
Company got a tip from the FBI …
• We believe hackers gotinside your network.
• Here are IP addressesfor about 75 computerswe think are infected.
• Can we have copies of some of your infected computer systems for our investigation?
• Watch what you say in your emails, since the hackers might be monitoring them now.
10/07/2019
7
But the FBI’s tip got worse …
• These are sophisticated foreign hackers that we’ve been tracking for a long time.
• From past experience, we think they’re preparing to launch a “ransomware attack”
that encrypts yourcomputers until youpay a huge ransom.
Incident Response (IR) PlaybookDetect and verify the incident.
14
Mitigate any ongoing breach or cyberattack.
Investigate nature and cause of compromise, and data affected.
Analyze applicable legal requirements and liability risk.
Notify people affected, law enforcement, and any others as required.
Review what went wrong and implement any lessons learned.
10/07/2019
8
Phase 1 – Detect & Verify
• Several types of remoteaccess trojan (“RAT”)malware were found.
• This would enable remoteaccess into the infectedcomputer to executecommands – like to installand detonate ransomware.
15
Command and Control (“C2”) Server
Victim’s Computer Network
Implant Software
Controller Software
#1. Attacker gains access and installs RAT implant, e.g., with spear-phishing email.
#2. Implant periodically contacts C2 server requesting commands.
#3. Controller sends commands to the implant to control victim’s computer.
#4. Attacker steals the victim’s computer files.
Remote Access Trojan (RAT)
10/07/2019
9
Phase 2 – Mitigate
• The team began right away (Day 1) using off-channel communications.
• Worked to locate malware files and determine the channels for “C2” communication.
• Successful counterstrike ended on Day 12 (e.g., quarantine malware, block C2 traffic, and reset passwords).
• This was done without setting off ransomware or significantly disrupting business operations.
17
Phase 3 – Investigate
Data security firm did a forensic investigation into the nature and scope of compromise:
• First evidence of intrusion was 4 weeks earlier
• Initial point of entry was likely spear-phishing
• 100 computers of various types infected
• Ten sets of stolen credentials, mostly IT staff
• No evidence of data “exfiltration” or searches
18
10/07/2019
10
Challenges & Lessons
• Layers of evidence gathering
• Log management
• Data impact review
• Written incident response plan
19
Router Network monitoring
Endpoints Endpoint monitoring
Files & emails Audit logging
p20
Presentation Roadmap
A. Internet for Lawyers
B. Cyber Incident Response
C. Breach Notification
D. Cybersecurity Law Trends
10/07/2019
11
Phase 4 – Analyze
21
• Breach notification obligations:
– Assortment of state statutes
– Federal sectoral requirements, e.g., GLBA
– PCI-DSS for payment card data
– Foreign laws, e.g., GDPR
– Contract clauses, e.g., DFARS 252.204-7000
• Business impact and reputational harm
• Data security liability exposure
Example: NC’s Data Breach Law
22N.C. Gen. Stat. §§ 75-61, 75-65
• “‘Security breach’. — An incident of unauthorized access to and acquisition of unencrypted and unredacted records or data containingpersonal information where illegal use of the personal information has occurred or is reasonably likely to occur or that creates a material risk of harm to a consumer.”
• The business “shall provide notice to the affected person that there has been a security breach following discovery or notification of the breach.”
10/07/2019
12
Example: GLBA Guidelines
2312 C.F.R. § Pt. 30, App. B
• “When a financial institution becomes aware of an incident of unauthorized access tosensitive customer information, the institution should conduct a reasonable investigation to promptly determine the likelihood that the information has been or will be misused.”
• “If the institution determines that misuse of its information about a customer has occurred or is reasonably possible, it should notify the affected customer as soon as possible.”
Example: Europe’s GDPR
24Regulation (EU) 2016/679, Art. 4(12) and 33
• “‘[P]ersonal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
• “In the case of a personal data breach, the controller shall … notify the personal data breach to the supervisory authority … unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.”
10/07/2019
13
Challenges & Lessons
• Key questions for notification analysis:
– Was the defined type of data compromised?
– Did the compromise amount to a “breach”?
– If required, was there risk of harm?
• Notifying law enforcement
• Contract review for breach notification and data security clauses
• Data mapping and management
25
p26
Presentation Roadmap
A. Internet for Lawyers
B. Cyber Incident Response
C. Breach Notification
D. Cybersecurity Law Trends
10/07/2019
14
Evolving Duty of Cybersecurity
27
• Affirmative data security obligations:
– Growing number of state laws
– Federal sectoral requirements, e.g., GLBA
– PCI-DSS for payment card data
– Foreign laws, e.g., GDPR
– Contract requirements, e.g., NIST SP 800-171
• Common law torts, e.g., negligence
• “Unfair or deceptive acts or practices” (UDAP)
28
• In 2008-2009, Wyndham suffered three data breaches of over 600,000 customers’ records, leading to over $10.6 million in fraud.
• In 2012, the FTC sued Wyndham for UDAP in violation of 15 U.S.C. § 45(a).
– “Unfair” based on deficient cybersecurity
– “Deceptive” based on Wyndham’s privacy policy overstating its cybersecurity
FTC Enforcement: Wyndham Hotels (2015)
10/07/2019
15
29
The alleged “unfair” cybersecurity included:
o Storing credit card data in clear text
o Allowing simple passwords for sensitive servers
o Failure to use basic network safeguards (firewalls)
o Failure to adequately oversee the cybersecurity of hotels connecting to Wyndham’s network
o Allowing vendors unnecessary system access
o Failure to take reasonable measures for security investigations or incident response
FTC Enforcement: Wyndham Hotels (2015)
30
• Wyndham refused to settle, challenging the FTC’s authority to bring such actions.
• In 2015, the Third Circuit upheld the FTC’s interpretation of their § 45(a) authority, ruling that UDAP may include unfair or deceptive cybersecurity practices. FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015)
FTC Enforcement: Wyndham Hotels (2015)
10/07/2019
16
31
• In December 2014, Yahoo’s information security team became aware that nation-state hackers stole personal data of 108 million users and gained access to 26 email accounts.
• The 26 users with compromised accounts were notified, and their passwords reset.
• Yahoo’s senior management and legal teams received internal reports about the breach.
SEC Enforcement: Altaba/Yahoo! (2018)
32
• In June 2016, Yahoo’s new CISO concluded their entire user database had been compromised by the hacker group over several intrusions, including the 2014 breach.
• In September 2016, Yahoo finally disclosed the breach, having already negotiated their acquisition by Verizon. The disclosure led to a $350 million reduction in the purchase price.
SEC Enforcement: Altaba/Yahoo! (2018)
10/07/2019
17
KARIM BARATOV
34
• The SEC brought an action against Yahoo for Securities Act violations based on material omissions in SEC filings and failure to maintain adequate disclosure controls.
• As the SEC explained, “Yahoo senior management and relevant legal staff did not properly assess the scope, business impact, or legal implications of the [2014] breach …”
• In 2018, Altaba/Yahoo settled for $35 million.
SEC Enforcement: Altaba/Yahoo! (2018)
10/07/2019
18
35
• In Summer 2018, British Airways suffered a cyberattack in which details from 380,000 booking transactions were stolen, including customer payment card data.
• On July 8, 2019, the UK Information Commissioner’s Office (ICO) announced a penalty of about $229 million under GDPR.
• This is the largest fine ever imposed for a data breach, and the first under GDPR.
UK ICO Enforcement: British Airways (2019)
Allen T. O’RourkeWomble Bond Dickinson (US) LLP
Contact Information
Charlotte Officet: 704.350.6357e: [email protected]
Social Media
linkedin.com/in/allenorourke